8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
Size

3.9MB
MD5

30c9c57aa570088d745fac7bfd05b805
SHA1

d579d18848859614e219afa6332d410e0ca71fc3
SHA256

8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383
SHA512

182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c
SSDEEP

98304:oOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRF:rmZb0bEds4XFR0OiC/GT

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2812	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2504	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
2504	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
2504	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2504	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
2504	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
2504	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2812	2924	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe	28
PID 2924 wrote to memory of 2812	2924	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe	28
PID 2924 wrote to memory of 2812	2924	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe	28
PID 2924 wrote to memory of 2812	2924	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe	28
PID 2924 wrote to memory of 2504	2924	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe	29
PID 2924 wrote to memory of 2504	2924	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe	29
PID 2924 wrote to memory of 2504	2924	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe	29
PID 2924 wrote to memory of 2504	2924	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe	29

C:\Users\Admin\AppData\Local\Temp\8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
"C:\Users\Admin\AppData\Local\Temp\8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
  "C:\Users\Admin\AppData\Local\Temp\8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe
  "C:\Users\Admin\AppData\Local\Temp\8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
a83a05beeb7184113ce016fbc3c686fd

SHA1
27f6f9465c96a60af84e61949eccc5134f7d9ea9

SHA256
e4787c2213f3f369b53c30e36a054b1a376b682ccd4acc1d1ca7a5e0fe4c697f

SHA512
ad486bdcefd1e1954462264a758b62c316faa3ef8e3d72cb16c44417a753df12c8813b7944ec0e99d4374311ee5425732bf0398278f671136fe32ac0a8636534

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
62f73a5e1fea99d2cb3d58c66aebe1ce

SHA1
df101738f4b13b8eca4f1a650aab848fb0b31cf5

SHA256
3fbd8ee4ed8440f13247d5e64d5cfc6d8c1fa171a03c8cf1212358d3b01a3ad4

SHA512
03b2801d009cceddc47bd48fadb3fb404b0e560716588add0729387e423bfc857cd56d7edffd9da1594395ac75be084a9abfe3eb33eaf180d1655c3022d6629e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b6f1fd1e75b3033dfa4c19a216de962f

SHA1
1f74678d8f0621ff3a5a84aabf90723df24b9bdc

SHA256
947621205131295dc7d2fd0b3cf5cd0c75ca12e38b7be99583b65f72f6286c15

SHA512
5a4f7a19d15c7132178795d24cb45cfa10ba717d78761a269484b890a7d7123ec4afcaceb944508caa8bc5dd118821c115731cce12dc78e53ddfb664b673b8ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a4700d8d3b2300eb0ea65f03ac83c474

SHA1
ef59daf206b3668bfdccc9081029d462e5526ea2

SHA256
6b519f8c9de34b7ce47a2b617431bdd399519a7427ba72888062246218ce1804

SHA512
4011aad22ce135cfb191dde86131f0ce907b2c01f0dc610374044c01e5cdf0b1c9d6e10e276db84fb330a3dfbdf426789a330e4718e8c05bf0a24e15dc28d96c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
7d72d082c6a2cb66ec84d8f8f0a0086d

SHA1
4c69fff0cbfe8872a338e3421159866c3192e724

SHA256
c7c4c490f30310a668d1be9ad1e720313b9f1741af85433ac0245089674711f4

SHA512
db4747e84daaafb710ba0f4c4bc9bf51e78311cf96e6715ffee3edc3f6b3d2766f98d931b2886f74ca0ebf33d54d968a034a51d05d1ca5b201f9df68f245fe99

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7ac3713e92d7e2a53f1a1d96a0943525

SHA1
3dac732cce8244118659ab145202059a09655f70

SHA256
fa2e352ff210dee693bfbfee1ca088c16c054db8529f032fd13fede3641a624f

SHA512
8239748f653fc2a29329aaf4b5d5652106089f6f3c6c5783d7e4d3dd67340b814da585483ea535acbf45b69c7de691df20bbd889304387565d335cf93a48199c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
971da4299da00d3b989bcc93c1e3f0e9

SHA1
3f846abb1f620af05ad1b3399bdd182127f261cd

SHA256
68b59db8a46dac40f6f31228a69b31e7f3ee0159e258ccd615e3084c9f1fcec9

SHA512
c22a66b2a64669041bff0186ff1bd24ef6de6ebb53fe61b93f6c1c34b94edc1f52075657fab4b38263cd53068539c02150aee6e38bb9baa2058f0597ff00b15c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
417ec88238abd8adcf756c0d433a260f

SHA1
5891e67397ffbb7c600cb8540a0eb7a4703aa12d

SHA256
0b56bb3656a22d5a10a0b0468b2b32256618c27951df188882c8761cad5f4779

SHA512
de8bbfd5778220d1b2b5635f08dc7b88ce9982f235b155c2f0069ad19def80531ecb18cd82c77cb268f2c5280d0ac4b2f1ea1b291516538abf18927066f10597

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d9b86f58d5a492f311444d96f96a4ecd

SHA1
ef598fd7c6cc527a9a373265165a479eb6cb5355

SHA256
f05820fa9ad23ae4eda7057938fc92d7786d7a158bbaa6b309cbdbdc73262789

SHA512
01aaa62a6b1fe2a58594f81edf9338b8b374a4b907b4c0b65fc51934dfff3d6245867f876f9b6bc713a644a04209978e698f531a1aa45ef20f69fe70b2a6b077

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c2e8c116c5fa64866feaace783823a85

SHA1
d4e1d421b385a9a1d51f3bfd4f4116230862f285

SHA256
0005383943b05b1f2930ed0f1ce2376eeeadb1a1ec7b4519b9f336c12f9087de

SHA512
842f57dadd554b54a4f233f800f2dbb0ef744572839e400f2ea0da056a47be07327bcc88bd124aff171de24cb9f9cc20a8be5ccf758c937a34ec6f493c51f9eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
6083015de5773a87b0310d405cba8b55

SHA1
51fd5119a7b40593ed9f96256ebe5099e3682d87

SHA256
d9314faace3339b1224c9b80db055a94695009ebf8e0328fd60f093203630ad9

SHA512
3802febbf98b8d174dab09cff85c2f333057f747755a821000656c90db471c83f1b91b314b19c295cc3f38880779584e005c3a2a4ef6030f86bbd083552ca3f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
6bb2fb32d637aad04e4c85b703e69719

SHA1
6cb1149df921b8b3aba29eab065e4561c2015884

SHA256
c96d7e4fe68b0a26f8247d66a4bacd1edf0dc74ec4916ac0e3375eb1aee12d6e

SHA512
486ce35ffa6fbe52b0c4a53269cde5fd44845f4bec380feafb2a9dd3ec2fb290fda2718d2d48efd5c91890142997ce381852fcfc8414644c347082128367bd55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1e5bf24da6335584778579373658d32a

SHA1
b1ed756e34573eeaf5b58355190e160ed82d4f9c

SHA256
f92f31524424616b826db6e81ce0f6c2816c6ebf019ad744d612ae9b1776bb91

SHA512
a02a9ddbec6f2d42f4097e2a136646ffa666d83e616084a50ab9c372287f08139611e253e79e0bdae26f9810a2935f802caac8095b41ee1e185006e0908bc8ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e255daa2ba2d5f9529345e6a7e7f7f4a

SHA1
279871bd2ef1484dd6ee20e72154ccd37e5e4d66

SHA256
efab6fbbbf9c5fdd7f4a14f7ebe69f800c9fac371cf3f5d6c9326ef45a41ed79

SHA512
e02088b94ea71afd127a8708cc75bbe0fb26bc137c9273ca8426e7ed6677441f297e3a7d8e7bf62f7a26c6a144675e094a33f0ff6eaefe580c02665026db72bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
510d96666530da65c19c295a3b7b5135

SHA1
656286cd0228b57eac1a3d78525ef360fdb135b1

SHA256
127322e8646054c85a7a0f62a734128980281013124d5719692cd849b66b26be

SHA512
d85379a51111d6e38beb1f2789c40ce34630494d155eb7eb6cfdf75b6e467466c5ea172aca4f35860621182ecd62d4f3935dc9f720196478bac8e0c74c31fdd0

Download Submit
memory/2504-16-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2504-262-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2504-103-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2812-102-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2812-261-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2812-283-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2812-9-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2812-117-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2812-146-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2924-126-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2924-2-0x0000000001244000-0x0000000001EEF000-memory.dmp

Filesize
12.7MB

Download
memory/2924-119-0x0000000001244000-0x0000000001EEF000-memory.dmp

Filesize
12.7MB

Download
memory/2924-0-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2924-3-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2924-101-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2924-263-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download
memory/2924-201-0x0000000001240000-0x00000000022C5000-memory.dmp

Filesize
16.5MB

Download